workleap-skill-safety-review
Agent Skill Safety Evaluation
Evaluate third-party agent skills for security risks before adoption. Follow the five-phase workflow below for every evaluation.
Resolve the skill source
Before evaluating, locate the skill's source code. Skills from public registries follow the {owner}/{repo}/{skill-name} format.
From skills.sh: The skill page is at https://skills.sh/{owner}/{repo}/{skill-name}. The underlying GitHub repo is at https://github.com/{owner}/{repo}. Fetch the SKILL.md and all supporting files from the repo (look for a directory matching the skill name, or check common structures like skills/{skill-name}/, plugins/**/skills/{skill-name}/).
From a local installation: If the skill is already installed, inspect the files in .claude/skills/{skill-name}/ or the project's configured skill directory.
From a PR: If reviewing a pull request that adds a skill, inspect the diff for the added SKILL.md and all supporting files.
Evaluation workflow
Follow these phases in order: